Hi Marki, see inline Mark Harwood wrote:
Its cool having authorisation restrictions enforced when accessing a page but it would also be useful to query these restrictions when choosing to offer a link in other pages.-1 for portable reason. The security mechanism will not work the same way if I define my web app using Tomcat and then moving it under another Servlet container. Some user may think their application are secure under Tomcat, and then move it to another container (security issue).
I have an implementation which offers this query capability based on a hack of Tomcat authorisation code. The method signature is:
boolean canIAccess(String url, String method, HttpServletRequest currentRequest, ServletContext context)
Is this sort of thing worth rolling into Tomcat somewhere? Without such a feature you effectively end up declaring security restrictions twice - once in web.xml declarations and once in pages that choose to offer links to these secured pages.
If you think that every Servlet container should support your method, you can submit your proposal to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
If other tomcat-dev are interested to your proposal, at least make that behaviour optional and turned off by default :-)
-- Jeanfrancois
Cheers
Mark Harwood
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
